33. (New) The method of claim 31, wherein the second test data output signal of the 
microcomputer is compared to the first test data output signal of the monitoring unit while the 
control unit is operating. 

34. (New) The method of claim 31, wherein a clock generator is stopped by the microcomputer 
during at least one of: the IDDQ measurement; and the comparing of the second test data output 
signal of the microcomputer with the first test data output signal of the monitoring unit. 

j 

^ 35. (New) The method of claim 31, wherein the test data input signal of the monitoring unit is 

generated by a test data signal generator via a feedback shift register. 



36. (New) The method of claim 35, wherein the test data output signal of the monitoring unit is 
generated by a response generator using a Reed-Muller code.--. 



iO Remarks 



y s This Preliminary Amendment cancels without prejudice original claims 1 to 18 



and substitute claim 12 in the underlying PCT Application No. PCT/DE00/001 57, and adds 

fl- without prejudice new claims 19 to 36. The new claims conform the claims to U.S. Patent and 

[Lit? 

y* Trademark Office rules and do not add new matter to the application. 

In accordance with 37 C.F.R. § 1.121(b)(3), the Substitute Specification 
(including the Abstract, but without the claims) contains no new matter. The amendments 
reflected in the Substitute Specification (including Abstract) are to conform the Specification and 
Abstract to U.S. Patent and Trademark Office rules or to correct informalities. As required by 37 
C.F.R. § 1.121(b)(3)(iii) and § 1.125(b)(2), a Marked Up Version Of The Substitute Specification 
comparing the Specification of record and the Substitute Specification also accompanies this 
Preliminary Amendment. In the Marked Up Version, shading indicates added text and brackets 
indicated deleted text. Approval and entry of the Substitute Specification (including Abstract) is 
respectfully requested. 

The underlying PCT Application No. PCT/DEOO/00157 includes an International 
Search Report, dated June 14, 2000. The Search Report includes a list of documents that were 
uncovered in the underlying PCT Application. A copy of the Search Report accompanies this 
Preliminary Amendment. 
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The underlying PCT application also includes an International Preliminary 
Examination Report, dated May 16, 2001, and an annex (including Revised/Substitute Claim 12). 
An English translation of the International Preliminary Examination Report and the annex 
accompanies this Preliminary Amendment. 

Applicants assert that the subject matter of the present application is new, non- 
obvious, and useful. Prompt consideration and allowance of the application are respectfully 
requested. 



Dated: ^ \ f\ mJO) 




ichard L. Mayer 
(Reg. No. 22,490) 

One Broadway 

New York, NY 10004 

(212) 425-7200 



CUSTOMER NO. 26646 
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[10191/1923] 



^~jl£y CONTROL UNIT FOR CONTROLLING SAFETY- CRITICAL APPLICATIONS 





FIELD OF THE INVENTION 

The present invention relates to a control unit for 
controlling safety-critical applications, having a 
microcomputer (MC) , a monitoring unit (check unit, CU) , and 
peripheral circuits (input output, 10) . Furthermore, the 
present invention relates to a method for checking a 
microcomputer (MC) of a control unit for controlling 
safety-critical applications, the control unit having 
microcomputer (MC) , a monitoring unit (check unit, CU) , and 
peripheral circuits (input output, IO) . 

[Background Information 
1 BACKGROUND INFORMATION 

In control units that control or regulate applications or 
functions that are critical with regard to safety, errors of 
the microcomputer (MC) or of a processor of the microcomputer 
[must] may be detected by monitoring. Such control units having 
safety tasks are used, for example, for anti-lock braking 
systems, for traction control systems, and/or for electronic 
stability programs. The safety-critical applications 
controlled by the control unit are connected to the control 
unit via the peripheral circuits. In the case of 
single-computer control units, methods having a self -test, 
plausibility check, and watchdog [are known] may be available. 

For testing CMOS chips (integrated circuits, IC) at the 
manufacturer, methods and measuring devices for measuring the 
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quiescent current are used. The background of the so-called 
quiescent current test is that in a digital CMOS chip in 
purely static logic, it is believed that almost the entire 
power loss during the switching operations occurs in its 
interior. In the rest state, the current flow is restricted to 
tiny leakage currents as well as to currents through pullup 
resistors or pulldown resistors at the inputs and through 
external loads at the output drivers. [Many] 

It is believed that various production-dependent errors may 
lead to increased conductivity between the positive and 
negative supply voltage [ . A] , and that activating such 
defective regions (point defects) of the circuit causes the 
current consumption to increase abruptly. Such defects 
[can] may be ascertained by a highly exact measurement of the 
current consumption during the test operation and a comparison 
to corresponding setpoint values. As already stated, such a 
quiescent current measurement [is] may be used in the 
manufacture of CMOS chips to sort out the defective chips 
after the manufacturing process. 

[It is known from the related art to also use t]The quiescent 
current test method [ known], which is believed to be available; 
for use in the [manufacture] manufacturing of computer modules 
for the control units [of the species cited at the outset] [(as 
referred to above) , to test the computer modules during their 
normal operation [in order to be able to detect] for detecting 
what may be the most frequent defects in the computer modules, 
in particular in the microcomputer (MC) , e.g. lock-up errors 

(stuck-at) , bridge errors (bridging) , and/or interrupt errors 

(stuck-open) . 
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[It is further known from the related art to provide] An 
available approach for increasing reliability in the case of 
control units (as referred to above) involves providing two 
MCs, which reciprocally test one another by parallel computing 
and/or plausibility checks [, to increase reliability in the 
case of control units of the species cited at the outset] . 
However, cost considerations [result in the suggestion of] may 
suggest using only one MC for such control units . 

[The obi ect 1 SUMMARY OF THE INVENTION 

An object of an exemplary method an^ embodiment 
of the present invention is to [develop and further 
refine] provide a control unit [of the species cited at the 
outset to the effect that] in which the reliability of the 
error detection is [ further] improved, and the detection is 
expanded to additional types of errors. 

[To achieve this object, starting from a control unit of the 
species cited at the outset, ] In an exemplar^ -embodimenf^ of the 
present invention [ proposes that] , the monitoring unit (CU) 
has a first [means] apparatus, : . arrangement 6 r ■ structure for 
measuring the quiescent current of the microcomputer (MC) , [ 
that] at least one handshake line for controlling the 
measurement of the quiescent current runs between the first 
[means] apparatus; arrangement or structure of the CU and the 
MC, [that ] the CU has a second [means] apparatus , arrangement 
or -structure: for applying a test data input signal to the MC 
to process the test data input signal and compare the 
corresponding test data output signal of the MC to the 
corresponding test data output signal of the CU, and [that ] at 
least one test data signal transmission line runs between the 
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second [means] apparatus , arrangement or structure of the CU 
and the MC . 

In accordance with the exemplary embodiment and/or exemplary, 
method of the present invention, [ it was recognized that] the 
reliability of the error detection can be increased by using 
two different test methods that supplement one another. In 
this manner, it is believed that a significantly greater 
number of different error types of the computer modules of the 



ifio MC can be detected. 



'\! The control unit according to the exemplary embodiment , of the 

Q present invention can also have a plurality of MCs and a 

^ plurality of CUs . However, the following assumes that the 

)ft_5 control unit has one MC and one CU. The CU of the control unit 
jf|f according to the exemplary embodiment of the present invention 

has a first [means] apparatus , arrangement or structure for 

measuring the quiescent current of the MC . 

2 0 At least one handshake line for controlling the measurement of 
the quiescent current runs between the first [means] apparatus , 
arrangement or structure of the CU and the MC . The handshake 
line can, for example, be [ designed as] a bidirectional line. 

25 After the control unit is switched on, the quiescent current 
is measured for a set number (typically 8 to 16) of selected 
commands within the framework of a test program. For example, 
14 selected commands containing an internal machine cycle are 
processed for microcomputer TMS470. 



30 



To supplement the quiescent current measurement, the CU of the 
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control unit according to the exemplary embodiment of the 
present invention has a second [means] apparatus , arrangement 
or structure. At least one transmission line for test data 
signals runs between the second [means] apparatus , arrangement 
5 of structure of the CU and the MC. 

The second [means apply] apparatus , arrangement or structure 
applies a test data signal to the MC. The MC calculates a 'test 
Si data output signal, which is dependent upon the test data 

J§0 input signal and the states inside the MC. Defective states 
% result in a changed test data output signal of the MC . 

-v i 

ip In the second [means] apparatus , arrangement or structure of 

y„ the CU, the test data input signal is also processed to form a 

! %5 test data output signal that is used as a reference signal for 

fU 

jf|f checking the test data output signal of the MC . When 

calculating the test data output signal, the CU assumes an 
error- free, functioning MC. The completed calculation 
[preferably] may ha [s] ve a [very] ; u very simple" design . [ ] 

20 

The microcomputer does not have a double design, and the same 
computation is not carried out by the CU as by the MC, as is 
the case for parallel computer systems. Rather, starting from 
the input data of a predefined test function, the MC 

25 calculates the output data whose results are checked by the CU 
using the reference signal calculated by it. The test function 
used for calculating the output data [typically has a very] may 
be "very simple [ design]" in its implementation. The 
calculation only requires minimal computing time. However, 

3 0 complex tests and results from the application programs can 
also be included in this test function. 
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Finally, the test data output signal of the CU is compared to 
the test data output signal of the MC . If they deviate from 
one another, or if the deviation exceeds a predetermined 
threshold value, the CU recognizes an error of the MC . The 
5 test result can be displayed by a display device and/or it can 
be provided that upon occurrence of an error, [provision is 
made for] and the system may be controlled and/or regulated by 
the control unit to be switched off. 

:i"'-s 
. i xr z 

iQpO According to [an advantageous further refinement ] another 

.^iJb 

^ exemplary embodiment of the present invention, [it is proposed 

,\ § that ] the first [means] apparatus , arrangement or structure 

© includes an IDDQ measuring circuit, a voltage supply, an IDDQ 

iy* measuring run control (MAS) , and a control system of the CU, 

;5S_5 and that the connection between the first [means] apparatus , 

yj 

CP arrangement or structure, and the MC includes two handshake 

fti ' . . .. 

jj^ lines that run from the IDDQ-MAS to the MC and at least one 

voltage supply line that runs from the voltage supply to the 
MC, at least one of the voltage supply lines running through 
20 {or across} the IDDQ measuring circuit. In semiconductors, IDD 

designates the positive supply current . IDDQ designates the 
quiescent current. The handshake lines are, for example, 
configured as START and END handshake lines for starting and 
acknowledging the completion of the functional test . 

25 

The communication between the MC and the CU for measuring the 
quiescent current is carried out via the two handshake lines. 
The quiescent current of the MC is measured by the CU via the 
separate voltage supply lines. 

30 

As stated, the exemplary embodiment of the present invention 
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relates to a control unit having a monitoring unit for 
checking the microcomputer of the control unit. A voltage 
supply unit is provided for supplying voltage to the control 
unit and, as such, also to the microcomputer. The control unit 
of the CU includes [means] an apparatus, arrangement or 
structure that can bring the MC into specific operating 
states . [ ] 

Furthermore, [ present in] the IDDQ measuring circuit includes 
a [re] measuring [means] apparatus , arrangement or structure 
that ascertains the current or voltage in the voltage supply 
circuit of the MC, whereupon the determined current or the 
determined voltage [is] may be compared in a comparison 
[means] apparatus, arrangement or structure, also present in 
the IDDQ measuring circuit, to at least one predefined 
threshold value. 

By [simply ] measuring the current or voltage, a plurality of 
possible errors in the computer can be ascertained using the 
IDDQ measurement. In this context,; it is believed that what 
may be the most frequent errors in the components of the MC 
can be substantially covered using a minimum of test steps. 
Such errors can be lock-up errors (stuck-at) , bridge errors 
(bridging) , and/or interrupt errors (stuck-open) . 

As a result of the combination of the quiescent current 
measurement and another suitable checking method, in 
particular including a check of the functionality of the MC 
based on test data records, it is believed that errors 
[are] may be widely covered with respect to the significant 
errors in computer modules, in particular in CMOS processors, 
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in a [manner] way that may be particularly advantageous for 
safety-critical applications . 

The abovementioned elimination of the second processor is 
5 largely retained so as to provide an economic advantage of the 
control unit according to the exemplary embodiment of the 
present invention, since the quiescent current measurement 
according to the exemplary embodiment of the present invention 
may only require [s] a minimal hardware expenditure. 

€b 

igp By specially controlling the MC, the IDDQ-MAS brings 

!J'J predetermined components of the MC into a low-current state. 

'•i= 

W The background of this control [is] involves the fact that [ 

;2 typically] components [ are] present in the MC [that] may 

j=a*5 require a relatively high current. Since, as stated at the 
fy outset, the quiescent current measurement [is generally] may be 

jp based on fluctuations in the quiescent current within 

relatively small bandwidths, the high current consumption of 
the MC components interfere with the IDDQ measurement. In 
20 particular, [it is provided ]th[at]e components to which the 

IDDQ measurement does not apply are brought into a low- current 
state. Such components can be the MC output stage and/or an 
input stage (e.g. analog/digital converter), as well as 
circuits for internally multiplying the clock pulse. [ ] 

25 

In the simplest case, the components having high current 
consumption are switched off during the test. Thus, internal 
circuit elements and circuit outputs that carry high currents 
are switched off. Subsequently, the quiescent current can be 
3 0 measured. 
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o 



20 



In addition to switching off the components of the MC having 
high current as mentioned above, [it can also be provided that 
] the core of the MC [is to] may be brought into a state of low 
current consumption. In the case of such MC modules configured 
specifically for the quiescent current measurement, a special 
operating state, a so-called IDDQ test mode, [is] may be 
provided. In this operating state, all currents inside of the 
computer are switched off, i.e., the current in the ^MC core is 



£ ( i minimized. [ ] 



W The IDDQ design is such that standard errors in the MC core 

become noticeable as an increase in the quiescent current. 
Thus, for example, short-circuit errors and/or stuck-at errors 
(short circuit to ground or the supply voltage) are 



Ql5 [immediately] "immediately" or quickly manifested in an 

If 



increase in the quiescent current. In this context, it is not 
believed to be necessary to pass on (to propagate) the effect 
of such an error to the outputs of the MC. The increased 
current consumption is the immediate error indicator. 



In addition to the IDDQ test mode described above, it can be 
provided that only the MC components having a high current are 
switched off, and, in response to a command, the MC enters a 
defined low-current state. In this context, the MC core does 
25 not have to be specially configured for the IDDQ test mode. 
This is called the power -down mode. 

The power-down mode is initiated by loading internal 
components of the computer, such as the register and memory, 
3 0 with certain patterns, and by bringing the abovement ioned 

computer components into a state of low current consumption, 
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e.g., by executing a certain computer command. If this state 
is achieved, a clock generator can be selectively switched off 
or disconnected. Subsequently, the quiescent current or a 
corresponding voltage value is measured and compared to a 
threshold value corresponding to the above-set operating state 
(power-down state) of the MC core . If certain errors are 
present in the computer (stuck-at errors, bridging errors, 
stuck-open errors), the result [is typically] may be an 
increase in the quiescent current or in the voltage drop 
caused by the quiescent current . 

After such a test step, additional test steps can follow in 
that the power-down mode is first exited by applying certain 
signal levels to specific connections of the MC . By again 
starting or switching on the clock generator, the internal 
computer components, such as the register and the memory, are 
loaded with additional patterns, and the abovement ioned 
components are again brought into a low-current state, e.g., 
by executing a specific computer command (power-down command) . 
The above-described measurement of the quiescent current then 
follows. As a result of a plurality of such consecutively 
performed measurements of the power-down current, errors in 
the registers, memories, and components of the computer core 
[are] may be ascertained in an increasingly more complete 
manner . 

According to the exemplary computer [type ] and [design of 
the] exemplary circuit, the individual test steps are ended by 
re-enabling the clock generator, by triggering a reset, or by 
triggering an external interrupt. After the last test step, 
the MC runs again in its normal operating mode (normal 
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operation) . 

In addition [of] to the above -described quiescent current 
measurement in the power-down mode, provision is also made in 
accordance with the exemplary embodiment of the present 
invention for the quiescent current to be measured in the 
indicated IDDQ test mode [ , ] (provided the computer to be 
checked is suitably configured) . The start of the IDDQ test 
mode is initiated by changing the signal level at a connection 
of the MC, for example. Also in this context, the register and 
memory are loaded with certain patterns prior to entering the 
IDDQ test mode. [ ] 

Upon entering the IDDQ test mode, the computer components 
having high current consumption are switched off. Furthermore, 
by discontinuing or decoupling the time pulse while executing 
a command, the computer core can be kept in a state 
[typical] "typical" for this command. These commands are 
selected [in such a manner] so that they adjust the states of 
the internal circuit nodes of the computer core so that as 
many errors as possible or at least moire errors can be 
detected via the quiescent current measurement . 

The handshake for the quiescent current measurement is carried 
out or performed in a number of steps: 

SI: The MC sets the START signal to HIGH. Consequently, the 
CU knows that an IDDQ measurement is beginning. 

S2 : The MC can selectively prepare to stop the time pulse 
(master clock, MCLK) , in that it sets a signal PREP to 
LOW via an internal command. 
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S3 : The MC decodes the precisely defined instant within the 
next suitable command for the IDDQ test and also sets a 
signal DEKOD to LOW. Now the MCLK is set equal to LOW, 
and the digital component of the MC is set to static 
operation for the IDDQ measurement. 

S4 : The CU performs the IDDQ measurement . 

S5 : The CU outputs the level sequence LOW-HIGH-LOW at the 
signal END, thereby reactivating the MCLK. 

S6 : The MC becomes active again and confirms the end of the 
measurement by setting the START signal to LOW. The MC 
continues the program and prepares the next IDDQ 
measurement or ends the IDDQ measurement when all 
measurements have been carried out. 

Two voltage supply lines [preferably] may run between the 
voltage supply and the MC, one voltage supply line running 
through the IDDQ measuring circuit. The quiescent current of 
the MC is measured via the voltage supply line that runs 
through the IDDQ measuring circuit. 

According to another [advantageous further 

refinement] exemplary embodiment of the control unit according 
to the present invention, [it is proposed that ] the first 
[means] apparatus , arrangement or structure includes an IDDQ 
measuring circuit, a voltage supply, an IDDQ measuring run 
control (MAS) , and a control system of the CU, and [that ] the 
connection between the first [means] apparatus, arrangement or 
structure and the MC includes four handshake lines that run 
from the IDDQ -MAS to the MC and at least one voltage supply 
line that runs from the voltage supply to the MC, at least one 
of the voltage supply lines running through the IDDQ measuring 
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circuit . [ ] 

In the case of four handshake lines, a time-pulse (CLK) line 
and a line for a power-down (PWRDN) control can be provided 
for the MC in addition to the lines START, END in the case of 
two handshake lines. In this [specif ic] exemplary embodiment of 
the control unit, a shared voltage supply line to the 
processor is sufficient, the quiescent current being measured 
in the voltage supply line. The clock generator is then 
stopped in the CU. The control of voltage supply circuits for 
analog circuits and IO circuits in the MC is carried out or 
performed via the PWRDN line from the CU. As such, only the 
quiescent current of the digital component of the MC flows in 
the measuring case through the shared voltage supply line. 

Advantageously,, the first [means have] apparatus, arrangement 
or structure includes an initialization circuit , which 
receives an initialization signal from the voltage supply 
after the control unit is switched on and subsequently 
transmits an enable signal to the IDDQ-MAS to enable the IDDQ 
measurement. The successful completion of the IDDQ 
measurement is signal [iz]ed by an additional signal to the 
control system of the CU. Consequently, the CU advances the 
test run in that the initialization circuit enables the test 
data signal generator via an additional signal. 

According to [an advantageous specif ic] another exemplary 
embodiment of the present invention, the second 
[means] apparatus , arrangement or structure includes a test 
data signal generator for applying a test data input signal to 
the MC, a response generator for processing the test data 
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input signal and for forming a corresponding test data output 
signal, a test data register for transmitting and receiving 
test data, and a comparator for comparing the test data output 
signal of the MC to the test data output signal of the CU [ ; 
and t] The connection between the second [means] apparatus , 
arrangement or structure and the MC includes at least one test 
data transmission line, which runs between the test data 
register and the MC. Advantageously, two test data 
transmission lines; may run between the test data register and 
the MC. 

The test data signal generator is also activated by the 
initialization circuit after the control unit is enabled. In 
the test data signal generator, the test data for the MC are 
generated in a virtually random order by a feedback shift 
register. With the aid of the Reed-Muller codes, the bit 
string for the test data output signal (the so-called 
reference signal) is formed in the response generator, for 
every test data input signal. This code is used to maintain a 
distance that is as great as possible in the space of numbers 
of the test data output signals (hamming distance) . In the 
comparator, the theoretically calculated test data output 
signal from the response generator of the CU is then compared 
to the actual test data output signal of the MC from the test 
data register. 

The second [means preferably have] apparatus, arrangement or 
structure may also include a trigger generator, which 
determines the instant at which the test data output signal of 
the MC is available at the comparator, in the case of an 
error- free MC. The trigger generator stipulates the instant of 

14 
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the comparison of the determined test data output signal of 
the MC and the actual response of the CU. As a result, it is 
at least better 'ensured that the time slices in the MC proceed 
correctly. The comparator not only checks the test data output 
signal for the correct data value but also to determine 
whether the test data output signal is transmitted within a 
specific timing window. 

Advantageously, the second [means have a] apparatus , 
•;i!0 arrangement or structure includes an error counter, which 

counts up or down, [in the event that] if the test data output 
signal of the MC is not consistent with the test data output 
signal of the CU, and/or [in the event that] if the test data 
fa output signal of the MC is available at the comparator at an 

M5 instant that differs from the one determined by the trigger 
;LX generator. By a counting pulse, the comparator causes the 

error counter to count up or down. If the value and instant of 
the test data output signal are correct, the error counter is 
decremented, for example. If the error counter falls below a 
2 0 predefined value, an external warning light, for example, is 
switched on or off via a signal interface, and a relay for 
manipulating the safety-critical application is enabled. 



The manipulation of the application to be controlled [is 
25 typically] may be limited to discontinuing the application. In 
the case of special applications, it can, however, be useful 
for the error counter to have a plurality of response 
thresholds, exceeding the response threshold resulting in a 
different reaction in each case. As a result, the application 
3 0 can be prevented from being immediately interrupted in the 

case of a singular disturbance, and the disabling path can be 

15 
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checked by the computer. 

If the MC responds to a test data input signal at the wrong 
instant or with an incorrect value, the same test data input 
signal is applied to the MC again until the instant and value 
of the test data output signal are correct. If this does not 
occur with a predefined time period, the CU switches off the 
control unit or the application, and it cannot be re-activated 
even by correct responses . 

The second [means preferably have] apparatus , arrangement or 
structure may include an initialization circuit, which 
receives an initialization signal from the voltage source 
after the control unit is enabled, subsequently synchronizes 
the CU with the MC, and then activates the test data signal 
generator and the error counter. The CU is synchronized with 
the MC in that the CU waits for the first data transmission of 
the MC. 

An additional obj ect of the exemplary embodiment of the 
present invention is to [develop and further refine] provide a 
method for checking a microcomputer [of the species cited at 
the outset to the effect] so that the reliability of the error 
detection [are further] may be improved, and the detection 
[is] may be expanded to additional types of errors. 

To achieve this object, [starting from] in the exemplary method 
of [ the species cited at the outset,] the present invention [ 
proposes that] ; , the CU of the control unit measures the 
quiescent current of the MC and applies a test data input 
signal to the MC, determines a first test data output signal, 
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and compares a second test data output signal of the MC to the 
first test data output signal of the CU. 

Advantageously, the quiescent current measurement is in the 
form of an IDDQ measurement. [Preferably, t]The IDDQ 
measurement [is] may be carried outl or performed after the 
control unit is switched on after being enabled by an enable 
signal . 

According to [an advantageous further refinement of 
the] another exemplary method according to the present 
invention, the second test data output signal of the MC is 
compared to the first test data output signal of the CU while 
the control unit is in operation. This may ha[s]ve the 
advantage that the control unit does not have to be switched 
off to test the functionality of the microcomputer. Rather, MC 
computing power not used for controlling the application can 
be used to check the MC while the control unit is in 
operation . 

[Preferably, a] A false test data output signal [is] may be 
transmitted one time at regular intervals to the CU while the 
control unit is in operation to check the functionality of the 
disabling path. 

[An additional advantageous] Another exemplary embodiment of 
the present invention [start from] involves the 

[assumption] fact; that a clock generator is stopped by the MC 
during the IDDQ measurement and/or while the second test data 
output signal of the MC is being compared to the first test 
data output signal of the CU. The clock generator is provided 
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in the control system of the CU. The internal computer 
operations in particular are controlled as a function of the 
output signal of this clock generator. In the described IDDQ 
test mode, it is provided that this clock generator is 
switched off or disabled or disconnected from the MC. This can 
also be carried out or performed in the power-down mode when a 
particularly low quiescent current is to be achieved. The 
clock generator is switched off or disabled or disconnected 
especially at the start of every quiescent current 
measurement . 

[Preferably, t] The test data input signal of the CU [is] may be 
generated by a test data signal generator, via a feedback 
shift register. [Preferably, t]The test data output signal of 
the CU [is] may be generated by a response generator, with the 
aid of the Reed-Muller code. 

The exemplary control unit according to the present invention 
can be checked by two different test runs. A so-called 
start-up test is carried out immediately following the 
switching on of the control unit and prior to the operation of 
the control unit for controlling or regulating the 
safety-critical application. After the start-up test, a 
so-called online test is carried out or performed from time to 
time while the control unit is in operation. 

The start-up test is subdivided into two test segments, the 
so-called processor initialization segment (Proz-Init) and the 
subsequent so-called operating system initialization segment 
(BS-Init) . The processor initialization segment includes a 
command test and a core test, a RAM /ROM test, and an IDDQ 
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test. The operating system initialization segment includes a 
start-up control and a test of the CU. In the start-up 
control, different input values are tested on the control unit 
(e.g. a certain speed pattern of the wheels of a vehicle, as 
can typically occur at the input of an ABS control unit of the 
vehicle) . The control unit carries out a regulation or control 
of the application based on the input values. The result of 
the simulated regulation or control is compared to 
corresponding setpoint values. When testing the CU, a 
defective MC is simulated, and the reaction of the CU to the 
defect is checked. 

The online test has a command test and a core test, a RAM/ROM 
test, a test of the CU, and a replication test. In the 
replication test, double memory spaces are provided for 
certain safety-critical variables, and certain safety-critical 
calculations are carried out twice. The contents of the double 
memory spaces and the results of the double calculations are 
compared to one another. The redundant storing and the 
redundant calculation are carried out by a processor of the 
control unit . 

Furthermore, the online test has a plausibility check in which 
control signals or regulation signals determined by the MC are 
checked for plausibility. In the case of an ABS control unit, 
one can, for example, check whether the speed, the 
acceleration, or the deceleration are within certain limits. 
Moreover, the values of the individual wheels of the vehicle 
must be in a certain relation to one another, which can also 
be checked. Finally, the online test has another operating 
system test and a test of the remaining monitoring units of 
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the control unit . 

[A preferred exemplary embodiment of the present invention i 
explained in more detail in the light of the following 
drawings. The figures show: 

Figure 1 1 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a schematic [ overview of a] block diagram of 
[a] an exemplary control unit according to the present 
invention [ ; ] . 

Figure 2[ ] shows a more detailed [overview] view of a block 
diagram of the control unit from Fig. ;i [;]..' 

Figure 3 [ ] shows [a] an exemplary circuit configuration for 
quiescent current measurement including a two-wire 
handshake [ ; ] 

Figure 4[ ] shows a timing diagram of the measuring run 

control for the quiescent current from Figure 3 . 

DETAILED DESCRIPTION 

Figure 1 shows a schematic [overview of a ] block diagram of 
[a] an exemplary control unit according to the present 
invention. Reference numeral 1 designates the exemplary 
control unit according to the present invention in its 
entirety. Control unit 1 is used to control safety-critical 
applications, e.g. for anti-lock (braking) systems, for 
traction control systems, and/or for electronic stability 
programs . [ ] 
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Control unit 1 has a microcomputer MC, a monitoring unit (CU, 
check unit) , and peripheral circuits (10, input/output) . 
Microcomputer MC, monitoring unit CU, and peripheral circuits 
IC are connected in series via a serial synchronous databus 2. 
5 Via its data output line MC_Dout , microcomputer MC transmits 

the data output signals through databus 2 to the bus users and 
simultaneously receives the data input signals via its data 
input line MC_Din. Using the signal SAM (sample) , the bus 
w users store the data received in their storage registers. 

€b 

gjjjl There are additional connecting lines between microcomputer MC 

jj£ and monitoring unit CU, namely a shared supply line VDD or 

US alternatively, a plurality of supply lines VDD for a digital 
Q 

JS and analog supply of microcomputer MC. Finally, IDDQ handshake 

5A5 line IDDQ-HDSHK, which are used for controlling the quiescent 

fU current measurement (IDDQ measurement) of microcomputer MC, 

fU 

Q run between microcomputer MC and monitoring unit CU. So-called 

disabling paths 3 lead from monitoring unit CU to external 
warning lamps and/or relays to manipulate the safety-critical 

2 0 applications to be controlled, depending on whether monitoring 

unit CU detects an error of microcomputer MC . Peripheral 
circuits 10 have connecting lines 4 to safety-critical 
application 5 to be controlled. 

25 After control unit 1 is switched on, the quiescent current is 
measured to check the functionality of microcomputer MC . While 
control unit 1 is in operation, the functionality of 
microcomputer MC is checked in that it regularly receives test 
data records, and the corresponding second test data output 

3 0 signal of the MC is compared to an error- free first test data 

output signal calculated by monitoring unit CU. 

21 
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Figure 2 shows a detailed overview of a block diagram of the 
control unit 1 from Figure 1. Monitoring unit CU includes a 
control system 6 of monitoring unit CU, a measuring run 
control 7 for the IDDQ measurement, an IDDQ measuring circuit 
8, and a voltage supply 9. Control system 6 of monitoring unit 
CU includes a test data signal generator 10, a response 
generator 11, and a comparator 12. With the aid of test data 
signal generator 10, a test data input signal is applied to 
microcomputer MC, and the microcomputer determines a second 
test data output signal as a function of the test data input 
signal and its own internal states. [ ] 

Response generator 11 processes the same test data input 
signal and forms a corresponding first test data output 
signal. In comparator 12, the first test data output signal of 
monitoring unit CU is compared to the second test data output 
signal of microcomputer MC. A trigger generator 13 determines 
the instant at which the second test data output signal of 
microcomputer MC is available at comparator 12, given an 
error- free, functioning microcomputer MC. 

Control system 6 of monitoring unit CU further has a error 
counter 14, which counts an error, [in the event that] if the 
second test data output signal of microcomputer MC is not 
consistent with the first test data output signal of 
monitoring unit CU, and/or [in the event that] if the second 
test data output signal of microcomputer MC is available at 
comparator 12 at a different instant than the one determined 
by trigger generator 13 . 

Furthermore, control system 6 of monitoring unit CU has a test 
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data register 17, which is used for transmitting and receiving 
test data . 

Finally, control system 6 of monitoring unit CU also has an 
initialization circuit 15, which receives an initialization 
signal RST from voltage supply 9 after control unit 1 is 
switched on and subsequently synchronizes monitoring unit CU 
with microcomputer MC in that the monitoring unit waits for 
the first data transmission of the MC . Initialization circuit 
15 subsequently activates test data signal generator 10 and 
error counter 14 . 

In test data signal generator 10, the test data input signals 
for microcomputer MC are generated in a virtually random order 
by a feedback shift register. With the aid of the Reed-Muller 
codes, the bit string for the corresponding first test data 
output signal is formed in response generator 11, for every 
test data input signal. This code is used to maintain a 
distance that is as great as possible in the space of numbers 
of the test data output signals (hamming distance) . In 
comparator 12, the first test data output signal determined in 
response generator 11 is then compared to the actual second 
test data output signal of microcomputer MC. 

The instant of the comparison is specified by trigger 
generator 13 . This is intended to ensure [s] that the time 
slices in microcomputer MC proceed correctly. Comparator 12 
not only checks the second test data output signal of the MC 
for the correct data value but also to determine whether the 
test data output signal is transmitted within a specific 
timing window. If the value and instant of the second test 
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data output signal of the MC are correct, error counter 14 is 
decremented, and the safety-critical application to be 
controlled is kept in an active state via a signal interface 
16 in that external warning lights are switched off and the 
relays for triggering application 5 are activated. 

In every cycle following this first cycle, the instant and 
value of the second test data output signal of the MC must be 
correct to prevent error counter 14 from responding 
immediately Error counter 14 has a plurality of response 
thresholds to prevent control unit 1 or application 5 from 
being switched off in the case of a singular disturbance and 
to enable microcomputer MC to check the disabling path. The 
first step blocks the valve output stages via signal EN and 
switches off the voltage supply of the valves via valve relay 
VRA. The display of the warning lights SILA is delayed by one 
cycle, so that there is no display when testing the disabling 
path . 

If a test data input signal is responded to at the wrong 
instant or with an incorrect value, the same test data input 
signal is applied again to microcomputer MC until the instant 
and value are correct. If this does not occur within a 
predefined time period, monitoring unit CU switches off the 
control unit 1, and it can no longer be activated even by 
correct responses . 

After control unit 1 is switched on, the quiescent current is 
measured for a set number (typically 8 to 16) of selected 
instants of a test program. The communication between 
microcomputer MC and monitoring unit CU for measuring the 
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quiescent current is carried out via the two handshake lines 
START and END. While the quiescent current is being measured, 
microcomputer MC stops clock generator CLK. Between monitoring 
unit CU and microcomputer MC are two separate voltage supply- 
lines, VDD_digital for supplying the digital component of 
microcomputer MC and VDD_analog for supplying the analog 
component of microcomputer MC. The quiescent current is 
measured in voltage supply line VDD_digital . 

The quiescent current measurement is enabled after the voltage 
supply is switched on via signal IDDQ_EN of control system 6 
of monitoring unit CU. The successful completion of the 
quiescent current measurement is signalized to control system 
6 of monitoring unit CU by signal IDDQ_FIN . Consequently, 
monitoring unit CU advances the test run in that 
initialization circuit 15 enables test data signal generator 
10 via a signal IDDQ_OK. 

Figure 3 shows a circuit configuration for measuring the 
quiescent current including a two-wire handshake. Figure 4 
shows the timing diagram of measuring run control 7 for the 
quiescent current measurement from Figure 3 . After control 
unit 1 is switched on, microcomputer MC starts its self -test. 
Part of this self -test is the quiescent current measurement. 
If the functional sequence in microcomputer MC reaches the 
quiescent current test, the START signal is activated. At 
instant Tl, the quiescent current measurement is activated by 
signal_Act . The output of comparator 12 for the quiescent 
current measurement is evaluated after time T2 . If the value 
is acceptable, microcomputer MC is activated again by the END 
signal. If the value is outside of a limiting value, the 
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measurement is repeated. The number of repetitions is preset . [ 
] 

If repeating the measurement also does not produce a correct 
response, the measurement is discontinued, and monitoring unit 
CU does not switch on microcomputer MC but remains in a 
fail-safe mode. When all quiescent current measurements are 
completed, signal IDDQ_FIN is set to HIGH. Consequently, 
control system 6 of monitoring unit CU resets signal IDDQ_EN 
from HIGH to LOW. 
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ABSTRACT OF THE DISCLOSURE 

[Abstract 

The present invention relates to a] A control unit [ (1)],; for 
controlling safety-critical applications [ (5)], 
[having] includes a microcomputer [ (MC) ] , a monitoring unit 
( [CU, ] check unit), and peripheral circuits ([IO, 
] input /output ) [ . T] , and" in which, to [ further] improve the 
reliability of the error detection for such control units, and 
to expand the detection to additional error types, [a control 
unit (1) of the indicated type is proposed in accordance with 
the present invention, ] the monitoring unit [ (CU) 
having] includes a first [means] apparatus , arrangement or 
structure for measuring the quiescent current of the 
microcomputer [ (MC) ] ; at least one quiescent current handshake 
line [ ( IDDQ-HDSHK) ] for controlling the measurement of the 
quiescent current running between the first [means of the CU 
and the MC; the CU having second means] apparatus , arrangement 
or structure of the'lonitoring unit^and the microcomputer; the 
monitoring unit including a second apparatus , arrangement or 
structure for applying a test data input signal to the 
[MC] microcomputer, for processing the test data input signal, 
and for comparing the corresponding test data output signal of 
the [MC] microcomputer to the corresponding test data output 
signal of the [CU] monitoring unit ; and at least one test data 
signal transmission line running between the second [means of 
the CU and the MC . ] apparatus , arrangement or structure of the 
monitoring unit and the microcomputer . 



[ (Figure 2) ] 
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